ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Epragma Redmine Issue

v0.0.1

Read Redmine issues from any Redmine server via REST API with configurable URL and credentials. Use when you need to fetch a single issue, list/filter issues...

0· 405·0 current·0 all-time
byAngelos Panagiotakis@agelospanagiotakis
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (read/create/update Redmine issues) align with the code and instructions. The skill legitimately needs a REDMINE_URL and REDMINE_API_KEY. However, registry metadata lists no required env vars while SKILL.md and the code require them; the code also accepts REDMINE_BASE_URL as an alternate which is undocumented in SKILL.md (memory note mentions swapped env support).
Instruction Scope
SKILL.md tells the agent to run the included Node scripts which only call the Redmine REST API. The runtime instructions and code do not reference unrelated system files or external endpoints beyond the configured Redmine base URL.
Install Mechanism
There is no install spec (instruction-only style). Code files are included but nothing is downloaded or auto-installed from external URLs, so install risk is low.
Credentials
Requested secrets (Redmine URL and API key) are proportionate to the skill. But the skill's metadata did not declare these required env vars, and the code also references REDMINE_BASE_URL and implements a swapped-vars fallback. This inconsistency could cause misconfiguration and surprises. Also the implementation of env-var handling appears buggy (see next guidance).
Persistence & Privilege
The skill does not request persistent/system-wide privileges and always:false. It does not modify other skills or system settings.
Assessment
This skill appears to do what it says — interact with a Redmine instance using a base URL and API key — but check a few things before installing: - Verify and set the REDMINE_URL and REDMINE_API_KEY (the registry metadata omitted these even though SKILL.md and the code require them). The code also looks for REDMINE_BASE_URL as an alternate; decide which variables you'll use and be consistent. - Review and/or fix the env-var logic in scripts/lib/redmine.js: the REDMINE_URL initializer uses a startsWith check incorrectly (it may evaluate to a boolean and cause runtime errors). Consider patching that before relying on the skill in automation. - Keep your API key secret and test the skill in an isolated environment first (it will send any requests only to the configured Redmine URL). If you plan to use it in automation, ensure the agent runs with least privilege and rotate the API key if it was exposed during testing. - Ensure the Node runtime used supports global fetch (Node 18+), or add a fetch polyfill if needed. If you want higher assurance, ask the author to correct the metadata to list required env vars and to fix the env-handling bug; otherwise run the provided scripts locally against a test Redmine instance first.

Like a lobster shell, security has layers — review code before you run it.

latestvk978pp7wy3s0k0fxh41q7dracx81xh9s

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments